[jira] [Commented] (QPID-2518) Qpid C++ broker can easily be blocked by client trying to connect over SSL port
[ https://issues.apache.org/jira/browse/QPID-2518?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13283567#comment-13283567 ] Andrew Stitcher commented on QPID-2518: --- Good point - that'll teach me to actually read the words in the bug report, rather than reading the words I expect to be there. > Qpid C++ broker can easily be blocked by client trying to connect over SSL > port > --- > > Key: QPID-2518 > URL: https://issues.apache.org/jira/browse/QPID-2518 > Project: Qpid > Issue Type: Bug > Components: C++ Broker > Environment: Red Hat Enterprise MRG 1.2 >Reporter: Armin Noll >Assignee: Andrew Stitcher > Fix For: 0.17 > > > We are running a C++ broker as deamon with the following configuration: > > log-enable=info+ > log-to-file=/var/lib/qpidd/op_prod09/data/0097/qpidd.log > log-to-syslog=no > auth=yes > acl-file=qpidd.acl > realm=QPID0097 > data-dir=/var/lib/qpidd/op_prod09/data/0097 > pid-dir=/var/lib/qpidd/op_prod09/data/0097 > port=20097 > wait=30 > num-jfiles=4 > jfile-size-pgs=1 > wcache-page-size=128 > tpl-num-jfiles=4 > tpl-jfile-size-pgs=1 > tpl-wcache-page-size=128 > ssl-cert-db=/var/lib/qpidd/op_prod09/data/0097 > ssl-port=10097 > ssl-cert-name=RGC001 > ssl-cert-password-file=/var/lib/qpidd/op_prod09/data/0097/amq_cert_db.pwd > ssl-require-client-authentication=yes > cluster-name=QPID0097 > cluster-url=amqp:tcp:172.16.45.198:20097 > cluster-username=x > cluster-password=x > > We tried to connect an application to the SSL port which does not "talk" the > correct protocol. We simply used telnet: > $ telnet 172.16.45.198 10097 > > The result was (we waited at least 30 min, then killed the process running > telnet): > The broker doesn't react anymore, no more new client connections can be > established, the broker even cannot be stopped with "qpidd -p 20097 -q". > > This way anybody in the world could easily block our service provided over a > Qpid broker. > Is there a way to get around this? > This issue has also been reported as Red Hat service request no. 2014266. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (QPID-2518) Qpid C++ broker can easily be blocked by client trying to connect over SSL port
[ https://issues.apache.org/jira/browse/QPID-2518?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13283542#comment-13283542 ] Gordon Sim commented on QPID-2518: -- The bug as originally reported related to broker *threads* being blocked on SSL handshake. The further 'fix' is for a separate issue preventing idle connections being established (note however that it only handles a particular pattern there anyway). > Qpid C++ broker can easily be blocked by client trying to connect over SSL > port > --- > > Key: QPID-2518 > URL: https://issues.apache.org/jira/browse/QPID-2518 > Project: Qpid > Issue Type: Bug > Components: C++ Broker > Environment: Red Hat Enterprise MRG 1.2 >Reporter: Armin Noll >Assignee: Andrew Stitcher > Fix For: 0.17 > > > We are running a C++ broker as deamon with the following configuration: > > log-enable=info+ > log-to-file=/var/lib/qpidd/op_prod09/data/0097/qpidd.log > log-to-syslog=no > auth=yes > acl-file=qpidd.acl > realm=QPID0097 > data-dir=/var/lib/qpidd/op_prod09/data/0097 > pid-dir=/var/lib/qpidd/op_prod09/data/0097 > port=20097 > wait=30 > num-jfiles=4 > jfile-size-pgs=1 > wcache-page-size=128 > tpl-num-jfiles=4 > tpl-jfile-size-pgs=1 > tpl-wcache-page-size=128 > ssl-cert-db=/var/lib/qpidd/op_prod09/data/0097 > ssl-port=10097 > ssl-cert-name=RGC001 > ssl-cert-password-file=/var/lib/qpidd/op_prod09/data/0097/amq_cert_db.pwd > ssl-require-client-authentication=yes > cluster-name=QPID0097 > cluster-url=amqp:tcp:172.16.45.198:20097 > cluster-username=x > cluster-password=x > > We tried to connect an application to the SSL port which does not "talk" the > correct protocol. We simply used telnet: > $ telnet 172.16.45.198 10097 > > The result was (we waited at least 30 min, then killed the process running > telnet): > The broker doesn't react anymore, no more new client connections can be > established, the broker even cannot be stopped with "qpidd -p 20097 -q". > > This way anybody in the world could easily block our service provided over a > Qpid broker. > Is there a way to get around this? > This issue has also been reported as Red Hat service request no. 2014266. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (QPID-2518) Qpid C++ broker can easily be blocked by client trying to connect over SSL port
[ https://issues.apache.org/jira/browse/QPID-2518?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13280617#comment-13280617 ] Andrew Stitcher commented on QPID-2518: --- This change limits the impact of CVE-2012-2145. But doesn't prevent a determined DoS attack on a broker. > Qpid C++ broker can easily be blocked by client trying to connect over SSL > port > --- > > Key: QPID-2518 > URL: https://issues.apache.org/jira/browse/QPID-2518 > Project: Qpid > Issue Type: Bug > Components: C++ Broker > Environment: Red Hat Enterprise MRG 1.2 >Reporter: Armin Noll >Assignee: Andrew Stitcher > Fix For: 0.17 > > > We are running a C++ broker as deamon with the following configuration: > > log-enable=info+ > log-to-file=/var/lib/qpidd/op_prod09/data/0097/qpidd.log > log-to-syslog=no > auth=yes > acl-file=qpidd.acl > realm=QPID0097 > data-dir=/var/lib/qpidd/op_prod09/data/0097 > pid-dir=/var/lib/qpidd/op_prod09/data/0097 > port=20097 > wait=30 > num-jfiles=4 > jfile-size-pgs=1 > wcache-page-size=128 > tpl-num-jfiles=4 > tpl-jfile-size-pgs=1 > tpl-wcache-page-size=128 > ssl-cert-db=/var/lib/qpidd/op_prod09/data/0097 > ssl-port=10097 > ssl-cert-name=RGC001 > ssl-cert-password-file=/var/lib/qpidd/op_prod09/data/0097/amq_cert_db.pwd > ssl-require-client-authentication=yes > cluster-name=QPID0097 > cluster-url=amqp:tcp:172.16.45.198:20097 > cluster-username=x > cluster-password=x > > We tried to connect an application to the SSL port which does not "talk" the > correct protocol. We simply used telnet: > $ telnet 172.16.45.198 10097 > > The result was (we waited at least 30 min, then killed the process running > telnet): > The broker doesn't react anymore, no more new client connections can be > established, the broker even cannot be stopped with "qpidd -p 20097 -q". > > This way anybody in the world could easily block our service provided over a > Qpid broker. > Is there a way to get around this? > This issue has also been reported as Red Hat service request no. 2014266. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (QPID-2518) Qpid C++ broker can easily be blocked by client trying to connect over SSL port
[ https://issues.apache.org/jira/browse/QPID-2518?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13280610#comment-13280610 ] Andrew Stitcher commented on QPID-2518: --- These code changes introduce a timer that gets started when a new connection is accepted. If the protocol negotiation phases isn't completed within a specified period then connection will be aborted. A new option is introduced to control the timer timeout period: --max-negotiate-time The default timeout is 2000ms (2s) which gives a lot of latitude for network delays. > Qpid C++ broker can easily be blocked by client trying to connect over SSL > port > --- > > Key: QPID-2518 > URL: https://issues.apache.org/jira/browse/QPID-2518 > Project: Qpid > Issue Type: Bug > Components: C++ Broker > Environment: Red Hat Enterprise MRG 1.2 >Reporter: Armin Noll >Assignee: Andrew Stitcher > Fix For: 0.17 > > > We are running a C++ broker as deamon with the following configuration: > > log-enable=info+ > log-to-file=/var/lib/qpidd/op_prod09/data/0097/qpidd.log > log-to-syslog=no > auth=yes > acl-file=qpidd.acl > realm=QPID0097 > data-dir=/var/lib/qpidd/op_prod09/data/0097 > pid-dir=/var/lib/qpidd/op_prod09/data/0097 > port=20097 > wait=30 > num-jfiles=4 > jfile-size-pgs=1 > wcache-page-size=128 > tpl-num-jfiles=4 > tpl-jfile-size-pgs=1 > tpl-wcache-page-size=128 > ssl-cert-db=/var/lib/qpidd/op_prod09/data/0097 > ssl-port=10097 > ssl-cert-name=RGC001 > ssl-cert-password-file=/var/lib/qpidd/op_prod09/data/0097/amq_cert_db.pwd > ssl-require-client-authentication=yes > cluster-name=QPID0097 > cluster-url=amqp:tcp:172.16.45.198:20097 > cluster-username=x > cluster-password=x > > We tried to connect an application to the SSL port which does not "talk" the > correct protocol. We simply used telnet: > $ telnet 172.16.45.198 10097 > > The result was (we waited at least 30 min, then killed the process running > telnet): > The broker doesn't react anymore, no more new client connections can be > established, the broker even cannot be stopped with "qpidd -p 20097 -q". > > This way anybody in the world could easily block our service provided over a > Qpid broker. > Is there a way to get around this? > This issue has also been reported as Red Hat service request no. 2014266. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (QPID-2518) Qpid C++ broker can easily be blocked by client trying to connect over SSL port
[ https://issues.apache.org/jira/browse/QPID-2518?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13273591#comment-13273591 ] Andrew Stitcher commented on QPID-2518: --- This bug also applies to regular TCP connections > Qpid C++ broker can easily be blocked by client trying to connect over SSL > port > --- > > Key: QPID-2518 > URL: https://issues.apache.org/jira/browse/QPID-2518 > Project: Qpid > Issue Type: Bug > Components: C++ Broker > Environment: Red Hat Enterprise MRG 1.2 >Reporter: Armin Noll >Assignee: Andrew Stitcher > > We are running a C++ broker as deamon with the following configuration: > > log-enable=info+ > log-to-file=/var/lib/qpidd/op_prod09/data/0097/qpidd.log > log-to-syslog=no > auth=yes > acl-file=qpidd.acl > realm=QPID0097 > data-dir=/var/lib/qpidd/op_prod09/data/0097 > pid-dir=/var/lib/qpidd/op_prod09/data/0097 > port=20097 > wait=30 > num-jfiles=4 > jfile-size-pgs=1 > wcache-page-size=128 > tpl-num-jfiles=4 > tpl-jfile-size-pgs=1 > tpl-wcache-page-size=128 > ssl-cert-db=/var/lib/qpidd/op_prod09/data/0097 > ssl-port=10097 > ssl-cert-name=RGC001 > ssl-cert-password-file=/var/lib/qpidd/op_prod09/data/0097/amq_cert_db.pwd > ssl-require-client-authentication=yes > cluster-name=QPID0097 > cluster-url=amqp:tcp:172.16.45.198:20097 > cluster-username=x > cluster-password=x > > We tried to connect an application to the SSL port which does not "talk" the > correct protocol. We simply used telnet: > $ telnet 172.16.45.198 10097 > > The result was (we waited at least 30 min, then killed the process running > telnet): > The broker doesn't react anymore, no more new client connections can be > established, the broker even cannot be stopped with "qpidd -p 20097 -q". > > This way anybody in the world could easily block our service provided over a > Qpid broker. > Is there a way to get around this? > This issue has also been reported as Red Hat service request no. 2014266. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] Commented: (QPID-2518) Qpid C++ broker can easily be blocked by client trying to connect over SSL port
[ https://issues.apache.org/jira/browse/QPID-2518?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12859250#action_12859250 ] Gordon Sim commented on QPID-2518: -- See also https://issues.apache.org/jira/browse/QPID-2083 and note that r790291 makes the error handling less meaningful. > Qpid C++ broker can easily be blocked by client trying to connect over SSL > port > --- > > Key: QPID-2518 > URL: https://issues.apache.org/jira/browse/QPID-2518 > Project: Qpid > Issue Type: Bug > Components: C++ Broker > Environment: Red Hat Enterprise MRG 1.2 >Reporter: Armin Noll > > We are running a C++ broker as deamon with the following configuration: > > log-enable=info+ > log-to-file=/var/lib/qpidd/op_prod09/data/0097/qpidd.log > log-to-syslog=no > auth=yes > acl-file=qpidd.acl > realm=QPID0097 > data-dir=/var/lib/qpidd/op_prod09/data/0097 > pid-dir=/var/lib/qpidd/op_prod09/data/0097 > port=20097 > wait=30 > num-jfiles=4 > jfile-size-pgs=1 > wcache-page-size=128 > tpl-num-jfiles=4 > tpl-jfile-size-pgs=1 > tpl-wcache-page-size=128 > ssl-cert-db=/var/lib/qpidd/op_prod09/data/0097 > ssl-port=10097 > ssl-cert-name=RGC001 > ssl-cert-password-file=/var/lib/qpidd/op_prod09/data/0097/amq_cert_db.pwd > ssl-require-client-authentication=yes > cluster-name=QPID0097 > cluster-url=amqp:tcp:172.16.45.198:20097 > cluster-username=x > cluster-password=x > > We tried to connect an application to the SSL port which does not "talk" the > correct protocol. We simply used telnet: > $ telnet 172.16.45.198 10097 > > The result was (we waited at least 30 min, then killed the process running > telnet): > The broker doesn't react anymore, no more new client connections can be > established, the broker even cannot be stopped with "qpidd -p 20097 -q". > > This way anybody in the world could easily block our service provided over a > Qpid broker. > Is there a way to get around this? > This issue has also been reported as Red Hat service request no. 2014266. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. - Apache Qpid - AMQP Messaging Implementation Project: http://qpid.apache.org Use/Interact: mailto:dev-subscr...@qpid.apache.org
[jira] Commented: (QPID-2518) Qpid C++ broker can easily be blocked by client trying to connect over SSL port
[ https://issues.apache.org/jira/browse/QPID-2518?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12859248#action_12859248 ] Gordon Sim commented on QPID-2518: -- A further measure would be to have a configurable timeout for connections that do not complete the handshake and disconnect them. > Qpid C++ broker can easily be blocked by client trying to connect over SSL > port > --- > > Key: QPID-2518 > URL: https://issues.apache.org/jira/browse/QPID-2518 > Project: Qpid > Issue Type: Bug > Components: C++ Broker > Environment: Red Hat Enterprise MRG 1.2 >Reporter: Armin Noll > > We are running a C++ broker as deamon with the following configuration: > > log-enable=info+ > log-to-file=/var/lib/qpidd/op_prod09/data/0097/qpidd.log > log-to-syslog=no > auth=yes > acl-file=qpidd.acl > realm=QPID0097 > data-dir=/var/lib/qpidd/op_prod09/data/0097 > pid-dir=/var/lib/qpidd/op_prod09/data/0097 > port=20097 > wait=30 > num-jfiles=4 > jfile-size-pgs=1 > wcache-page-size=128 > tpl-num-jfiles=4 > tpl-jfile-size-pgs=1 > tpl-wcache-page-size=128 > ssl-cert-db=/var/lib/qpidd/op_prod09/data/0097 > ssl-port=10097 > ssl-cert-name=RGC001 > ssl-cert-password-file=/var/lib/qpidd/op_prod09/data/0097/amq_cert_db.pwd > ssl-require-client-authentication=yes > cluster-name=QPID0097 > cluster-url=amqp:tcp:172.16.45.198:20097 > cluster-username=x > cluster-password=x > > We tried to connect an application to the SSL port which does not "talk" the > correct protocol. We simply used telnet: > $ telnet 172.16.45.198 10097 > > The result was (we waited at least 30 min, then killed the process running > telnet): > The broker doesn't react anymore, no more new client connections can be > established, the broker even cannot be stopped with "qpidd -p 20097 -q". > > This way anybody in the world could easily block our service provided over a > Qpid broker. > Is there a way to get around this? > This issue has also been reported as Red Hat service request no. 2014266. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. - Apache Qpid - AMQP Messaging Implementation Project: http://qpid.apache.org Use/Interact: mailto:dev-subscr...@qpid.apache.org
[jira] Commented: (QPID-2518) Qpid C++ broker can easily be blocked by client trying to connect over SSL port
[ https://issues.apache.org/jira/browse/QPID-2518?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12859035#action_12859035 ] Gordon Sim commented on QPID-2518: -- I believe this is addressed by http://svn.apache.org/viewvc?view=revision&revision=790291. > Qpid C++ broker can easily be blocked by client trying to connect over SSL > port > --- > > Key: QPID-2518 > URL: https://issues.apache.org/jira/browse/QPID-2518 > Project: Qpid > Issue Type: Bug > Components: C++ Broker > Environment: Red Hat Enterprise MRG 1.2 >Reporter: Armin Noll > > We are running a C++ broker as deamon with the following configuration: > > log-enable=info+ > log-to-file=/var/lib/qpidd/op_prod09/data/0097/qpidd.log > log-to-syslog=no > auth=yes > acl-file=qpidd.acl > realm=QPID0097 > data-dir=/var/lib/qpidd/op_prod09/data/0097 > pid-dir=/var/lib/qpidd/op_prod09/data/0097 > port=20097 > wait=30 > num-jfiles=4 > jfile-size-pgs=1 > wcache-page-size=128 > tpl-num-jfiles=4 > tpl-jfile-size-pgs=1 > tpl-wcache-page-size=128 > ssl-cert-db=/var/lib/qpidd/op_prod09/data/0097 > ssl-port=10097 > ssl-cert-name=RGC001 > ssl-cert-password-file=/var/lib/qpidd/op_prod09/data/0097/amq_cert_db.pwd > ssl-require-client-authentication=yes > cluster-name=QPID0097 > cluster-url=amqp:tcp:172.16.45.198:20097 > cluster-username=x > cluster-password=x > > We tried to connect an application to the SSL port which does not "talk" the > correct protocol. We simply used telnet: > $ telnet 172.16.45.198 10097 > > The result was (we waited at least 30 min, then killed the process running > telnet): > The broker doesn't react anymore, no more new client connections can be > established, the broker even cannot be stopped with "qpidd -p 20097 -q". > > This way anybody in the world could easily block our service provided over a > Qpid broker. > Is there a way to get around this? > This issue has also been reported as Red Hat service request no. 2014266. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. - Apache Qpid - AMQP Messaging Implementation Project: http://qpid.apache.org Use/Interact: mailto:dev-subscr...@qpid.apache.org